It has become commonplace for employers to collect and store data relating to the vaccination status of their employees. When doing so, it is important for employers to be mindful of the obligations that may arise under the Privacy Act 1988 (Cth) (Privacy Act). We explain below the scope and application of the Privacy Act in respect of information about employees' vaccination status.
Is information about vaccination status within the scope of the Privacy Act?
Australian Privacy Principles (APPs) are located in Schedule 1 of the Privacy Act, and work to govern the standards, rights and obligations around the collection, use and disclosure of personal information. Breaching an APP is considered an interference with the privacy of an individual, and can invoke regulatory action or penalties.
Information about a person's vaccination status is considered to be personal information, and is therefore subject to the APPs. This is because information about an individual's vaccination status falls within the meaning of 'health information' as defined within section 6FA of the Privacy Act. Health information is classified under the Privacy Act as 'sensitive information' so information about vaccination status is afforded a higher standard of protection.
Do all employers have to comply with the APPs?
The APPs apply to any 'APP entity', that is, any organisation or agency regulated by the Privacy Act that:
- had an annual turnover of over $3 million for the previous financial year; or
- provides a health service or otherwise holds health information; or
- discloses or collects personal information about another individual for a benefit, service or advantage; or
- is a contract service provider for a Commonwealth contract or a credit reporting body.
Registered political parties and state or territory authorities are not considered to be APP entities.
APP 3: When is it appropriate for employers to collect information about vaccination?
An APP entity may collect employee information relating to vaccination status if the collection is authorised by an Australian law, court/tribunal order, or public health order.
If the collection of information relating to vaccination status has not been authorised, an employer can only collect this information if the employee consents to its collection, and the information is reasonably necessary for the entity's functions or activities.
If an employee does not consent to the collection of information relating to their vaccination status, and employer may still collect this information if one of the seven exemptions located in s 16A of the Privacy Act apply. For example, per exemption one, employers are able to collect information about the vaccination status of an employee where collection of the information is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual, or to public health and safety.
It is important to note that employers can only collect information using lawful and fair means, and the information must come directly from the individual unless an exemption applies.
Construction, Forestry, Maritime, Mining and Energy Union v BHP Coal Pty Ltd t/a BHP Billiton Mitsubishi Alliance  FWC 81
The Fair Work Commission in Construction, Forestry, Maritime, Mining and Energy Union v BHP Coal Pty Ltd t/a BHP Billiton Mitsubishi Alliance (BHP Case) found that Mt Arthur Coal were not in breach of APP 3 when they requested employees supply their proof of vaccination status as a condition of entry to the Queensland sites.
This finding was made based on the fact BHP did not collect information relating to their employees vaccination status without their employees consent, and that proof of vaccination is reasonably necessary for BHP to perform the entity's functions and activities.
APP 6: How can information about vaccination status be used and disclosed by employers?
APP 6 outlines when it is appropriate for AAP entities to use and disclose personal information. If an employer holds personal information about an employee that was collected for a specific purpose, the information cannot be used or disclosed for another purpose, unless one of the five exemptions stated in APP 6.2 apply. These exemptions include situations where the individual has consented to their information being used or disclosed for an alternate purpose, and where the law authorises the use and disclosure of the information.
This means that if an employer collects and then retains information relating to the vaccination status of an employee for a particular purpose, they must not use or disclose this information for any other purpose, unless an exemption applies.
APP 11: How can employers protect employee vaccination information?
Given the sensitive nature of information relating to health, it is unsurprising that many employees have concerns about how their employers are storing their information. Certificates of vaccination contain private information that can be used to find out more than just an employee's vaccination status. By submitting a COVID-19 digital certificate or Immunisation History Statement to an employer, employees are also disclosing their individual healthcare identifier, which can be used by healthcare providers to access patient records through My Health Records.
APP 11 requires that APP entities take reasonable steps to protect the personal information from misuse, interference, loss, and from unauthorised modification or disclosure. Additionally, unless APP entities are required by law to retain the information, once the APP entity no longer needs information for the purpose for which it was disclosed, it must take reasonable steps to ensure that reasonable steps are taken to destroy the information or ensure that information is de-identified.
Australian Licenced Aircraft Engineers Association v Virgin Australia Airlines Pty Ltd ACN 090 670 965 & ORS
In Australian Licenced Aircraft Engineers Association v Virgin Australia Airlines Pty Ltd (Virgin Case) the Federal Court ordered Virgin Australia to delete all the COVID-19 digital certificates and Immunisation History Statements of its employees. This came after the Australian Licenced Aircraft Engineers Association raised its concerns that Virgin Australia may use the individual healthcare identifier found on the proof of vaccination documents for purpose unrelated to the verification of vaccination status.
The Court also ordered that Virgin Australia not use the individual healthcare identifiers contained in the proof of vaccination documents, and to allow its employees to submit alternate forms of proof of vaccination that do not contain the employees' individual healthcare identifier. Virgin Australia is now required to delete all forms of proof of vaccination within 48 hours of the verification of documents.
The BHP Case and Virgin Case are timely reminders of the importance of adhering to the APPs when collecting and storing information related to the vaccination status of employees. Employers must be aware of when it is appropriate to ask employees for proof of vaccination, and should only use it for the purpose for which it was obtained. Additionally, due to the sensitive nature of healthcare information, employers should be conscious of their obligation to protect and subsequently destroy their employees' proof of vaccination records.